The token-authentication system, including the server and software, cost ADOT about $66,000 -- the tokens were $60 apiece. That's a lot less costly than a PKI (public key infrastructure), which can run anywhere from $500,000 to $2 million, depending on the size, to build in-house.

"It was another level of security for our network, with a one-time password that's more secure than using a traditional network ID and password," says Nicole Drew, information technology specialist for ADOT, based in Phoenix.

The token system functions like this: An ADOT user working at home dials into the network from a PC or laptop into the closest RRAS (Routing and Remote-Access Service) server. He enters his assigned user PIN (personal identification number) into his CryptoCard token and retrieves a new one-time password, which he then enters into the dial-up dialog box of his PC or laptop. His credentials get validated by the RADIUS server, which accesses the CryptoCard administrative database. "That's where you get authenticated with CryptoCard," says Dempsey Lofton, information technology specialist for ADOT.

The user is assigned an IP address based on his ID and CryptoCard group. "Firewall rules, based on the assigned IP address, dictate which network resources the user can access," Drew says. But that only gets the user onto the network; he uses separate passwords to access e-mail, files, databases and mainframe applications.

ADOT recently installed a second CryptoCard server for redundancy, and the department is test-running a VPN (virtual private network) that will provide an alternative to dial-up for users with high-speed connections. The biggest challenge with the token system is getting users comfortable with the technology when they first receive their token cards. "They aren't familiar with it when they first get it," Drew says. But the tokens are simple to handle, and ADOT users are catching on quickly, according to Drew.

All ADOT had to purchase for the CryptoCard token-authentication system was a Compaq Computer Corp. ProLiant server and Microsoft Windows NT, and the department recently added a second ProLiant server for redundancy in the CryptoCard system. "We have real-time replication both ways, so if one server goes down, we would continue working on a secondary server," Lofton says. He adds that the token system integrated easily into the organization's network, which is primarily an Ethernet backbone with T1 and 56-Kbps connections over the wide area, plus VPN and dial-up links.

Managementwise, the token system adds another layer of hardware. But it's easy to disable a token if one is lost or an employee leaves; it takes about two minutes to cancel, Lofton says. And ADOT can recycle a token by reprogramming it.

The RADIUS server tracks all the remote-access activity, logging a user's access attempts. So if a token doesn't synchronize with the CryptoAdmin database or if an incorrect password is entered, ADOT can trace the history of the attempt to diagnose a problem or detect unauthorized activity.

For the future, ADOT hasn't ruled out a PKI. Its security group is keeping an eye on PKI options, but ADOT hasn't yet decided whether to go with digital certificates. If it does opt for the certificates, the tokens could be used in conjunction with a PKI, but it's likely that the certificates eventually would replace the tokens.